Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Infrastructure you can (mostly) trust

Building Infrastructure you can (mostly) trust

In this talk, I look at how to build codified infrastructure that you can (mostly) trust and highlight important patterns that help in limiting the blast radius of changes.

This version of the talk was given at DevOops in November 2021.

---

Companion Code: github.com/ksatirli/building-infrastructure-you-can-mostly-trust

Kerim Satirli

November 09, 2021
Tweet

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

    2 IN OUT GATEWAY N IN OUT CLOUD INTERNAL
  2. TERMINAL > terraform plan -out="iot.tfplan" Plan: 8 to add, 0

    to change, 0 to destroy. ──────────────────────────────────────── Saved the plan to: iot.tfplan Run the following command to apply: terraform apply "iot.tfplan"
  3. Out-Group external partners General Public OSS contributions You In-Group associated

    teams, rest of organization Neighbours direct teammates
  4. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

    = "standard-v1" zone = var.yandex_zone resources { cores = 20 memory = 48 } boot_disk { auto_delete = true initialize_params { image_id = data.yandex_compute_image.ubuntu.image_id } } !!" Trustable Code
  5. TERMINAL > git log -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !# main)

    Author: Kerim Satirli <[email protected]> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code
  6. TERMINAL > git log !$show-signature -1 commit dbbb68b7cd862a95467940a3636813117d3bd2cd (HEAD !#

    main) gpg: Signature made Tue Nov 9 09:41:00 2021 gpg: using RSA key DAC9F8147655C16210FC5BA84E06DF3A215B79A8 gpg: Good signature "[email protected]" Author: Kerim Satirli <[email protected]> Date: Tue Nov 9 09:41:00 2021 +0200 linting Trustable Code
  7. TERMINAL > terraform validate │ │ Error: Reference to undeclared

    input variable │ │ on compute.tf line 5 │ in resource "yandex_compute_instance" "exposition": │ │ 5: zone = var.yandex_zon │ │ An input variable with the name "yandex_zon" has not been │ declared. │ │ Did you mean "yandex_zone"? │ Validation (basic)
  8. TERMINAL > pre-commit run !$all-files Check for added large files............................Passed

    Check for case conflicts...............................Passed Check for merge conflicts..............................Passed Terraform fmt..........................................Passed Terraform validate.....................................Passed Validation (basic)
  9. TERMINAL > tflint Validation (advanced) 1 issue(s) found: Notice: resource

    name `exposition-test` must match the following format: snake_case (terraform_naming_convention) on compute.tf line 2: 2: resource "yandex_compute_instance" "exposition-test" { Reference: github.com/terraform-linters/tflint/blob/master/ docs/rules/terraform_naming_convention.md
  10. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }
  11. CODE EDITOR Version Pinning terraform { required_providers { yandex =

    { source = "yandex-cloud/yandex" version = "0.66.0" } } required_version = "1.0.10" }
  12. Learn more about the <a href="https://www.terraform.io/docs/language/v1-compatibility-promises.html">Terraform 1.0 Compatibility Promises</a>.
  13. TERMINAL > terraform init Initializing provider plugins!!" - Finding yandex-cloud/yandex

    versions matching "0.66.0"!!" - Installing yandex-cloud/yandex v0.66.0!!" - Installed yandex-cloud/yandex v0.66.0 (key ID E40F590B50BB8E40) Version Pinning
  14. CODE EDITOR Version Pinning providers "registry.terraform.io/yandex-cloud/yandex" { version = "0.66.0"

    constrains = "0.66.0" hashes = [ "h1:oThGd+Ls!!"84poGbY=", "zh:2eb19ceb!!"bc734a96", "zh:3f094b5b!!"3647a69d", "zh:43f1c9f0!!"996adb2c", "zh:44ca4c74!!"928943c9", "zh:609f33ad!!"9f1592ce", "zh:6da9c95b!!"1d179d88", "zh:6deacbba!!"bc2031a1", "zh:77283a62!!"60a436da", "zh:8a12d8cb!!"a683aa4c", "zh:9c91491d!!"2d40e0fc", "zh:b3b37f83!!"4ca284fd", "zh:dc8cd0d2!!"fff4016f", "zh:e298c674!!"f5e72b26", ] }
  15. CODE EDITOR variable "yandex_token" { type = string sensitive =

    true description = "IAM token for authentication." }
  16. CODE EDITOR # see registry.terraform.io/providers/yandex-cloud/yandex/latest/docs#zone variable "yandex_zone" { type =

    string default = "ru-1c" # see cloud.yandex.com/en/docs/overview/concepts/geo-scope validation { condition = contains(["ru-1a", "ru-1c"], var.yandex_zone) error_message = "Value must be one of `ru-1a` or `ru-1c`." } }
  17. CODE EDITOR Output output "console_compute_instances_overview" { description = "URL for

    Compute Overview." value = "console.cloud.yandex.com/!!"" } output "yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }
  18. TERMINAL > terraform plan Terraform will perform the following actions:

    # yandex_compute_disk.os_disk will be created + resource "yandex_compute_disk" "os_disk" {} # yandex_compute_disk.data_disk will be created + resource "yandex_compute_disk" "data_disk" {} # yandex_compute_instance.main will be created + resource "yandex_compute_instance" "main" {} # yandex_dns_zone.main will be created + resource "yandex_dns_zone" "main" {} Codify Patterns
  19. Minimally Viable Pattern Networking Module ▪ Resources – vpc_network –

    vpc_subnet(s) – vpc_security_group ▪ Inputs / Outputs – var.cidr_range – dns_zone – iam_service_account Compute Module ▪ Resources – compute_instance – compute_disk(s) – dns_recordset(s) ▪ Inputs / Outputs – vpc_subnet – dns_zone – iam_service_account IAM Module ▪ Resources – resourcemanager_folder – iam_* ▪ Inputs / Outputs – var.zone – var.folder_id – iam_service_account
  20. TERMINAL > cd module-example !& tree ├── examples ├── CHANGELOG.md

    ├── LICENSE ├── README.md ├── main.tf ├── output.tf ├── terraform.tf └── variables.tf Module Structure
  21. CODE EDITOR resource "yandex_compute_instance" "exposition" { name = "vdnkh-1" platform_id

    = "standard-v1" zone = var.yandex_zone !!" } moved { from = yandex_compute_instance.exposition to = yandex_compute_instance.main } Config-driven Move (Terraform 1.1)
  22. CODE EDITOR Module Defaults module "website" { source = "vdnkh/website/yandex"

    version = "1.0.0" folder_id = var.yandex_folder_id zone = var.yandex_zone }
  23. CODE EDITOR Protecting Secrets provider "yandex" { token = var.yandex_token

    cloud_id = var.yandex_cloud_id folder_id = var.yandex_folder_id zone = var.yandex_zone }
  24. CODE EDITOR Protecting Secrets variable "yandex_token" { type = string

    sensitive = true description = "IAM token for authentication." } output "var.yandex_folder_id" { description = "Yandex.Cloud Folder ID." sensitive = true value = var.yandex_folder_id }
  25. TEMP HUM NOISE LUX PAX GATEWAY 1 IN OUT GATEWAY

    2 IN OUT QUARANTINE CLOUD GATEWAY N IN OUT INTERNAL
  26. Find more resources on <a href="https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust">github.com/ksatirli/building-infrastructure-you-can-mostly-trust</a>.
  27. Find me on <a href="https://twitter.com/ksatirli">twitter.com/ksatirli</a>.